Compliance

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources. [1]

Compliance: Standards and Regulations[2]
Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements. IT compliance guidelines vary by country; SOX, for example, is a U.S. legislation. Similar legislation in other countries includes Germany's Deutscher Corporate Governance Kodex and Australia's Corporate Law Economic Reform Program Act 2004. As a result, multinational organizations must be cognizant of the regulatory compliance requirements of each country they operate within. As regulations and other guidelines have increasingly become a concern of corporate management, companies are turning more frequently to specialized compliance software and IT compliance consultancies. Many organizations have even added compliance jobs such as a chief compliance officer (CCO). Some prominent regulations, standards and legislation with which organizations may need to be in compliance include:

Sarbanes-Oxley Act (SOX) of 2002: SOX was enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Among other provisions, the law sets rules on storing and retaining business records in IT systems.

Can Spam Act of 2003: The Can Spam Act requires businesses to label commercial emails as advertising, use legitimate return email addresses, provide recipients with opt-out options and process opt-out requests with 10 business days.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Title II includes an administrative simplification section that mandates standardization of electronic health records systems and includes security mechanisms designed to protect data privacy and patient confidentiality.

Dodd-Frank Act: Enacted in 2010, this act aims to reduce federal dependence on banks by subjecting them to regulations that enforce transparency and accountability in order to protect customers.

Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of policies and procedures created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions.

Federal Information Security Management Act (FISMA): Signed into law in 2002, FISMA requires federal agencies to conduct annual reviews of information security programs, in order to keep risks to data at or below specified acceptable levels.

Types of Compliance[3]
Usually, companies ensure compliance by creating policies and procedures and then establishing a compliance department to make sure everyone adheres to policy.In general, compliance in the workplace involves two important areas. These types of compliance go hand in hand, and both are essential. An organization that neglects regulatory compliance may face federal fines or legal action, and could even be shut down:

Regulatory Compliance: the steps an organization takes to comply with relevant external laws, regulations, and guidelines.

Corporate Compliance: the actions and programs an organization sets in place to ensure compliance with internal policies, procedures, and accepted behavior, as well as external regulations. An organization without a corporate compliance program may have chaotic, wasteful, or unethical practices.

The Importance of Compliance[4]
Compliance is important for at least eight reasons.
1) Compliance is part of your organization’s duties to its community and stakeholders. The first reason is most basic. If you run a business (whether for-profit or nonprofit), you benefit from your community’s basic services. In return, you owe duty to comply with the law. Furthermore, if you use the resources of others (investors, creditors, donors), you need to be able to assure them that you are regulating the conduct of your employees and that you are complying with applicable rules and regulations.
2) Without a compliance function, you cannot reliably build or maintain trust with others. Trust is fostered through three elements: (1) repeated interactions with another person; (2) honest communication with that person; and (3) following through on commitments. Organizations cannot ensure that they are meeting element (2) or (3) unless they have adopted rules about proper communications and proper follow through. The head of the organization can’t be confident that others are being honest in their interactions unless the organization has adopted rules about honesty and trained people about the importance of honesty and candor. The leader cannot be confident that people are following through on commitments unless there are rules and norms that have been adopted and emphasized throughout the organization.
3) If you have no compliance function, you invite reputational damage. I like to note Warren Buffett’s adage that it takes 20 years to build a reputation and about five minutes to lose one. Research shows that people want to interact with organizations that have a reputation for honest dealings. It’s therefore no surprise that leaders consistently rank reputational risk as their number one worry. If you are not trusted in the marketplace, customers are unlikely to work with you. On the other hand, if you are trusted, customers will give you the benefit of the doubt. Without a strong compliance function, however, an organization is like the blindfolded man: any step may lead to disaster.
4) Compliance helps define an organization’s “why.” In his book Start With Why, Simon Sinek explains that one can describe an organization in three categories: what it does, how it does it, and why it does it. Sinek maintains that the best companies focus on the “why.” “When most organizations or people think, act or communicate they do so from the outside in, from WHAT to WHY. And for good reason – they go from the clearest thing to the fuzziest thing. We say WHAT we do, we sometimes say HOW we do it, but we rarely say WHY we do what we do. But not the inspired companies. Not the inspired leaders. Every single one of them, regardless of their size or their industry, thinks, acts and communicates from the inside out.” Simon Sinek, Start With Why (2009), at 39. The “why” of an organization drives and motivates its efforts. One crucial aspect of that “why” is the set of values and ethical principles that guide the organization’s behavior. A compliance function leads an organization to determine those values and ethics. It requires the organization to describe those values and ethics sufficiently that team members understand them and will refer to them. It requires an organization to train team members on values and ethics, and requires the organization to hold team members accountable for them. In other words, compliance helps to define the why.
5) Compliance helps define and regulate an organization’s “how.” Continuing reference to Sinek’s work, compliance also helps an organization define and monitor its “how.” Compliance focuses on what behaviors will and won’t be permitted in execution of the “why.” As I have mentioned elsewhere, too many people consider compliance as an exercise in saying no: those in charge of the rules enforce those rules to prohibit behavior. That misconceives the central contribution of compliance. When compliance is done well, it increases efficiency and effectiveness because employees have been trained to know, intuitively, how do their jobs and how to reason through ambiguous situations. Thus, compliance is not designed to generate “no.” It aims for intuitive “yeses.”
6) Compliance can serve as a driver of change and innovation. Some people also view compliance as inherently conservative. They think the purpose of compliance is to rein in conduct. Again, that’s not true. Compliance instead can serve as a powerful tool of long-term change. If every day behavior stems from training and codes of conduct, and codes of conduct stem from values, articulation and modification of values over time can profoundly influence organizational behavior. In the words of system theorists, values can be a leverage point, and compliance ultimately focuses on the driving values of an organization.
7) Compliance enhances consistency. Without a compliance function, decisions are ad hoc and made in a vacuum. Articulated values, ethics policies, and codes of conduct provide reference points for making decisions a matter of routine. As Peter Drucker explained, “All events but the truly unique require a generic solution. They require a rule, a policy, a principle. Once the right principle has been developed all manifestations of the same generic situation can be handled pragmatically; that is, by adaptation of the rule to the concrete circumstances of the case.” Peter Drucker, The Effective Executive (2006), at 125.
8) Compliance can reduce unforced errors. Unforced errors are the most common risks to organizational performance, and compliance helps prevent unforced errors. Too many people think about risks in terms of outside forces that can affect an organization. They worry about crooks and scam artists, customer demands, funder and stakeholder demands, natural disasters, and broad economic trends and forces. Yet most threats and opportunities are generated internally. This is why Drucker emphasized that more than 90 percent of effort in even the best run organizations is waste or, worse, activity that actually harms the organization. This is also one of the core insights of the “lean management” or Toyota Production System revolution over the last couple of decades. Lean management seeks to make waste visible so that the organization can improve over time. Compliance can help here, too. Organizational waste includes disputes and human misunderstandings. A healthy compliance function can help make that waste visible, by tracking core metrics that may show areas of underperformance and friction. It can prevent disputes and misunderstandings.

Elements Of An Effective Compliance Program[5]
The requirements for an "effective compliance program" are summarized as follows:

A Written Program. The organization must have standards and procedures to prevent and detect criminal conduct.

Board Oversight. The organization’s board of directors or equivalent must be knowledgeable about the content and operation of the compliance and ethics program and must exercise reasonable oversight of its implementation and effectiveness.

Responsible Persons. One or more individuals among the organization's high-level personnel must be assigned overall responsibility for the compliance and ethics program.

Operating and Reporting. One or more individuals must be delegated day-to-day operational responsibility for the compliance and ethics program. They must report periodically to high-level personnel and, as appropriate, to the board of directors or its audit committee or equivalent on the effectiveness of the program. The individuals must have adequate resources, appropriate authority, and direct access to the board or audit committee.

Management's Record of Compliance. The organization must use reasonable efforts not to hire or retain personnel who have substantial authority and whom the organization knows or should know through the exercise of due diligence have engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

Communicating and Training. The organization must take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to directors, officers, executives, managers, employees and agents - by conducting effective training programs and otherwise disseminating information appropriate to the individuals’ respective roles and responsibilities.

Monitoring and Evaluating; Anonymous Reporting. The organization must take reasonable steps

(a) to ensure that its compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,

(b) to evaluate periodically the effectiveness of the compliance and ethics program and

(c) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

Consistent Enforcement, Incentives and Discipline. The organization’s compliance and ethics program must be promoted and enforced consistently throughout the organization through appropriate

(a) incentives to perform in accordance with the compliance and ethics program and

(b) disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

The Right Response. After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

Assessing the Risk. The organization must periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify its compliance program to reduce the risk of criminal conduct identified through this process.

Creating a Compliance Roadmap[6]
Compliance is a multifaceted and complex matter. It requires a well-thought out plan with the right policies and procedures in place to ensure requirements are met in a timely manner and a pristine record-keeping system to document those procedures. Depending upon the size and focus of your business, you may opt to have an in-house compliance professional or entire department working to identify, prevent, monitor, resolve and advise with regard to compliance risks. Don’t leave compliance to chance. Be proactive in your efforts to meet all of your obligations and rest easy at night knowing that you are on the right path. Compliance or acting according to a set of rules is a fact of doing business whether you are a business owner, executive, HR manager or sales representative. Navigating the path to compliance requires proactive planning and organization but doesn’t have to be overwhelming. The following four common areas of compliance must be considered when creating your compliance road map.

Human resources: Human resources covers a vast amount of important issues and requires a compliance deep dive. Failure to comply with even a single human resource policy can land your company in a legal mess. Review your human resources policies and procedures at least once per year to assure they are in compliance. Keep up with changing Affordable Care Act (ACA) provisions and if your company is growing, find out at what number of employees your compliance requirements change. Stay current on what constitutes a workplace and telecommuting, marriage equality and benefits, and preventing harassment and discrimination in the workplace.

Workplace Safety: The Occupational Safety and Health Administration (OSHA) is a national public health agency committed to protecting workers from hazards at work. This means your office, retail or manufacturing space must meet all applicable local and federal guidelines for safety. Conduct regular safety checks, fire drills and inspections by the appropriate governing agencies. In addition, train employees to meet any operational guidelines or your workplace will not be compliant.

Financial Services: Financial services regulations should be at the top of your “compliance” list. Failing to pay your withholding, workers comp or quarterly income tax is the fastest way to land on the radar of the I.R.S. and other governmental taxing authorities. Unlike private corporations to whom you owe money, the government can shut down your company. Financial services regulators work for the protection of investors/consumers, to ensure fair markets, to reduce systematic risk and financial crime and to maintain consumer confidence in the financial system. Anything your business does to compromise these will land you in hot water.

Data Security: Have security requirements in place for safeguarding sensitive data. Test your data compliance measures regularly to be sure they are working properly and quickly.Test your data compliance measures regularly to be sure they are working properly and quickly. An examiner may require the immediate production of records. Make sure your company’s data storage and networking infrastructure is up to date. Prepare for unannounced compliance audit by obtaining a copy of an inspection checklist from a specific regulatory or governing agency.

Top Compliance Concerns[7]
It is all too evident to most organizations that, like it or not, ensuring regulatory compliance is not only a mandated requirement but getting more and more challenging. The regulatory landscape is constantly changing and compliance requirements are becoming more stringent.

• A 2017 survey of compliance professionals and boards identified several prevalent areas of concern, which overlap in certain respects:

Thomson Reuters, Cost of Compliance 2017

• Another recent survey identified the following top five risks, as identified by Board members and senior executives around the world:

Establish Customer Trust and Brand Loyalty: Reputation matters. Gaining a reputation as an organization that fails to meet its compliance obligations can jeopardize customer trust and loyalty. In fact, reputational risk was cited as the #1 main driver for regulatory compliance in a recent AIIM survey, and twice as big a driver as avoiding fines and penalties. Reputational risk is so important that being transparent—even about your faults—will improve customer perception and can lead to increased stakeholder engagement.

Improve Operational Processes: Regulatory compliance should not be viewed as simply a checkbox exercise but, rather, as something that can have significant, positive, secondary benefits on business operations.

Boosts the Bottom Line: A number of studies have found that companies with strong governance and compliance cultures perform better than their counterparts. Presumably, an organization that spends less time dealing with regulatory infractions has more time to focus on initiatives that improve competitive positioning and help gain market share. Another and perhaps more obvious conclusion to be drawn is that avoiding compliance penalties simply leads to a healthier bottom line.